bgp flow specification revision: what is needed?
TRANSCRIPT
Agenda } RFC5575 – BGP-FS } BGP-FS version 1 - New Actions and Filters } Why Revise RFC5575 – Action Conflicts + Security issues } BGP-FS version 2 } Need feedback from Operators
RFC 5575 RFC 5575 } Created to stop
spread DDoS in multiple AS
Format: RFC4760 } AFI: v4 } SAFI 133: IPv4 } SAFI 134: BGP/
VPN
MP-REACH NLRI (Type 14)
AFI (2 octets)
SAFI (1 octets)
length Next Hop (1 octet)
Next Hop (variable)
Reserved (1 octet, zero filled )
Length in octets (1 or 2 bytes)
NLRI (variable, filters)
Length in octets (1 or 2 bytes)
NRLI Values
MP-UNREACH NLRI (Type 15)
AFI (2 octets)
SAFI (1 octets)
Withdrawn routes
BGP-FS New AFI/SAFIs
New AFI list Same SAFIs
} AFI: v4 (1) } AFI: V6 (2) } AFI: L2VPN (25)
} 133 – VPN } 134 – BGP/VPN
FS Policy Rule List
Match Filters in BGP NLRI
SAFI 133, 1334
Actions in BGP Extended Communities
FS Rule
Modify Forward
Logical Storage of Rules ECA = Event –Condition - Action
Flow-specification event = “packet reception”, Condition – match filters in NLRI Action – in Extended communities
Other ECAs ACLs, I2RS Filter-Based RIB
Problems with RFC5575bis } RFC5575 Unclear
} Range comparisons, length comparison, revalidation ¨ draft-loibl-bacher-idr-flowspec-clarification-00
} Conflicting BGP-FS actions ¨ redirect requires conflict resolution: for
IP redirect, Path Redirect
} Desired upgrades to security } Lessen within an AS: draft-ietf-idr-flowspec-oid } Additions for ROA, BGPsec
Hold for V2
Must have for V1
New Actions MP-REACH NLRI
(Type 14) AFI (2 octets)
SAFI (1 octets)
length NextHop (1octet)
Next Hop (variable) Reserved
(1 octet, zero filled ) Length in octets (1 or 2 bytes)
NLRI (variable, filters)
Length in octets (1 or 2 bytes) NRLI Values
MP-UNREACH NLRI (Type 15)
AFI (2 octets)
SAFI (1 octets)
Withdrawn routes
Actions in BGP Extended Community
Traffic Byte Rate (0x8006)
Traffic Action (0x8007)
IP Redirect (0x8008), 0x8108, 0x8208
Interface Grouping (TBD)
Traffic Packet Rate (TBD)
MPLS Push/Pop (TBD)
Path Redirect (TBD)
v4 traffic marking (0x8009)
v6 traffic marking (0x8009)
TBD are new IDR drafts
2: IP Source Prefix 1: IP Destination Address
3: v4:Proto
4: Port (src or dst)
6: Destination Port 5: Source Port
7: ICMP type 8: ICMP code 9: TCP Flags
11: Traffic Class 10: Packet Length
12: IPv4 Fragment 13: IPv6 Flow ID
RFC5575 V6
3: v6: nh hdr
15: Source MAC 14: Ethernet type
16: Destination MAC 17: DSAP in LLC
19: LLC control fields 18: SSAP in LLC
20: SNAP 21: VLAN ID 22: VLAN COS
24: Inner VLAN COS 23: Inner VLAN ID
L2VPN
25: NV03: Inner/Outer
NVO3
26: VNID 27: Flow ID
28: MPLS Label 29: MPLS EXP
MPLS Potential
New filters
BGP-FS v1 New Filters
V4 = RFC5575 Others =
IDR drafts
BGP Flow Specification V2 } Why Flowspec V2? - NFV/SDN control of pathways
} Requires Ordering of the sequence } Existing RFC5575
} Fixed order } Must have IPv4 destination
} NFV/SDN } Filter Order set by user } Action Order set by user } Defaults = current BGP Flow Specification V1
Action value
Flow Spec TLVs
BGP Flow Specification Version 2
MP-REACH NLRI (Type 14)
AFI (2 octets) SAFI (1 octets)
Length of Next Hop (1 octet)
Next Hop (variable) Reserved
(1 octet, zero filled )
Length in octets (1 or 2 bytes)
BGP Wide Community Atom
MP-UNREACH NLRI (Type 15)
AFI (2 octets) SAFI (1 octets)
Withdrawn routes
Length in octets 2 bytes) Sub-TLVS
Order (2 octets) Type (2 octets)
length (2 octets) Value (variable,
filters)
Sub-TLVS
Order (2 octets) Type (2 octets) length (2 octets) Value (variable,
filters)
Order (2 octets)
Action type (2 octets)
Action value (variable)
RFC5575bis actions
Time
Action value
Flow Spec TLVs
MP-REACH NLRI (Type 14)
AFI (2 octets)
SAFI (1 octets)
Length Next Hop (1 octet)
Next Hop (variable) Reserved
(1 octet, zero filled )
Length in octets (1 or 2 bytes)
BGP Wide Community Atom MP-UNREACH NLRI
(Type 15)
AFI (2 octets)
SAFI (1 octets)
Withdrawn routes
Length in octets 2 bytes)
Sub-TLVS
Order (2 octets) Type (2 octets)
length (2 octets)
Value (variable, filters)
Sub-TLVS
Order (2 octets) Type (2 octets) length (2 octets)
Value (variable, filters)
Order (2 octets)
Action type (2 octets)
Action value (variable)
RFC5575bis actions
New Actions
BGP Flow Specification v2 (proposed)
RFC5575 Filters + New Filters
draft-hares-idr-flowspec-v2
Feedback Needed from NANOG Operators } How many operators use BGP-FS for DDoS ?
} With in a Single Provider Network or multiple AS ? } How urgent is RFC5575bis for errors? } Do you need filters and Actions?
} Do you want BGP-FS for NFV/SDN ? } What need (now or future) is there for provider do have configured ordering of
Filters or Actions?
} Do you want a Yang module to control? } Should standards allow both standalone + integration with FB-RIBS